From owner-freebsd-isp@FreeBSD.ORG Tue Oct 24 00:09:49 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 95AAD16A415 for ; Tue, 24 Oct 2006 00:09:49 +0000 (UTC) (envelope-from ee@uncanny.net) Received: from smtp.uncanny.net (smtp.uncanny.net [64.81.245.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id 78F1243DD0 for ; Tue, 24 Oct 2006 00:08:14 +0000 (GMT) (envelope-from ee@uncanny.net) Received: from sandbox.uncanny.net (sandbox.uncanny.net [192.168.49.254]) by smtp.uncanny.net (Postfix) with ESMTP id 6B1752ED for ; Mon, 23 Oct 2006 17:08:05 -0700 (PDT) Received: by sandbox.uncanny.net (Postfix, from userid 1000) id 71E338BF; Mon, 23 Oct 2006 17:08:05 -0700 (PDT) Date: Mon, 23 Oct 2006 17:08:05 -0700 From: Edward Elhauge To: freebsd-isp@freebsd.org Message-ID: <20061024000805.GA12810@uncanny.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Subject: Internet Link Detective Audit X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: ee@uncanny.net List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Oct 2006 00:09:49 -0000 I'm hoping someone on this list can steer me in the right direction towards figuring out what is going on with my internet link. (Or rather the tools to figure it out on my own). I had a call from my ISP claiming that they saw unusual network activity (high usage). At first we though it was simply my New peering but a few weeks later they claimed up to 7GB on port 5560 (iMesh). Since I block port 5560 incoming I have to figure it must be from the inside. I'm puzzled because as far as I can tell from my Postfix and Inn logs I'm using only 100 MB per do or so. With about 15 machines on our buildings network, it might be a bit difficult to figure out what is going on just by inspection (also some of the clients are Mac, Windows XP and Ubuntu). What I'd like is a tool running on FreeBSD that will sort IP traffic coming across my Internet interface by: SRC IP, PROTOCOL and PORT DEST IP, PROTOCOL and PORT then give me total KBs passed in that interval. I currently have one FreeBSD machine devoted to Gateway Router and NAT. It runs ipfilter (ipf). From reading the list over the years I know about tools that do things like this but don't know of one that does this exactly. I set up ifstat, but it doesn't sort the traffic by src, dest, port, etc, just a total KB/s in/out. I know that one can use dummynet, or ALTQ to do bandwith shaping, but I'd rather find out where all the traffic is going rather than just restricting it. Perhaps snort would do what I want, but before I spent the time setting it up I wanted to make sure that I could easily get a count of Kb/s flowing across the interface, since my main interest isn't intrusion detection, but really something more like a traffic audit. Any pointers for how to instrument this are greatly appreciated. -- Edward Elhauge "The life which is unexamined is not worth living." -- Plato